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Contributing Qualys modules 


Module Description 


PCI Compliance Qualys is Approved Scanning Vendor (ASV) for PCI. It helps to automate, 
simplify, and attain PCI compliance quickly. Qualys PCI is the most accurate, 
easy, and cost-effective solution for PCI compliance testing, reporting and 
submission. 


PCI 


Policy Compliance Assess security configurations of IT systems throughout your network. Qualys 
PC is a next-gen solution for continuous risk reduction and compliance with 
internal policies and external regulations. 


PC 


Continuously monitor and assess your cloud assets and resources for 
cv CloudView (CSA) misconfigurations and non-standard deployments. Qualys CSA is a next- 
generation cloud app for unparalleled visibility and continuous security of 
public cloud infrastructure. 


Security Assessment Minimize the risk of doing business with vendors and other third parties. Qualys 
Questionnaire SAQ is a transformative solution for automating and streamlining an 
organization’s vendor risk management process. 


SAQ 


Log and track file changes across global IT systems. Qualys FIM is a cloud 
a File Integrity Monitoring solution for detecting and identifying critical changes, incidents, and risks 
resulting from normal and malicious events. 


Build a comprehensive asset inventory. Qualys CSAM allows to continuously 
=A CyberSecurity Asset inventory assets, apply business criticality and risk context, detect security gaps 
Management like unauthorized or EOL software, and respond with appropriate actions to 
mitigate risk, thus reducing the ‘threat debt’. 


Module 


Description 


VMDR 


Vulnerability Management 
Detection and Response 


All-in-one vulnerability management, detection, and response. Qualys VMDR 
continuously identifies critical vulnerabilities and misconfigurations on the 
industry’s widest range of devices, including mobile devices, operating systems, 
and applications. It also helps you in prioritization and remediation of the same. 


CERT 


Certificate View (CRA) 


Endpoint Detection and 
Response 


Patch Management 


Assess your digital certificates and TLS configurations. Qualys CRA is a next- 
generation cloud app for continuous monitoring, dynamic dashboarding and 
custom reporting of certificate issues and vulnerabilities. 

Continuous detection of exploitable vulnerabilities and misconfigurations on 
your endpoints. Qualys Multi-Vector EDR continuously detects CVEs with 
exploits available in the wild, as well as exploitable security misconfigurations, 
and automatically prioritizes them for one-click patching or remediation — all in 
a single workflow! 

Streamline and accelerate vulnerability remediation for all your IT assets. 
Qualys PM automatically correlates vulnerabilities to patch deployments so you 
can remediate quickly, proactively, and consistently. 


Q 
= 


Continuous Monitoring 


Alerts you in real time about network irregularities. Qualys CM is a next- 
generation solution for identifying threats and monitoring unexpected network 
changes before they turn into breaches. 


Secure web applications with end-to-end protection. Qualys WAS is a robust 


> Web Application Scanning solution for continuous web app discovery and detection of vulnerabilities and 
misconfigurations. 
Bringing context and clarity to enterprise security operations. Qualys Context 
Mie Context XDR (Extended XDR provides a risk-focused, single pane of glass for enterprise-wide threat 


Detection & Response) 


detection and incident response by bringing together risk posture, asset 
criticality, threat intelligent and your enterprise third-party solution data. 


Mapping of Qualys Suite to PCI Data Security Standard Requirements 


PCI DSS Requirements v3.2.1 


Requirement 1: Install and maintain a firewall configuration to protect cardholder data 


1.1 Establish and implement firewall Qualys enables you to have a confirmation on 
and router configuration standards | the presence of policy or procedural controls SAQ 
that include the following: using its survey-based workflow. 
1.1.1 A formal process for approving and | Qualys enables you to have a confirmation on 
testing all network connections and | the presence of policy or procedural controls EG 
changes to the firewall and router using its survey-based workflow. 
configurations 
1.1.2 Current network diagram that Qualys enables you to have a confirmation on 
identifies all connections between the presence of policy or procedural controls 
the cardholder data environment using its survey-based workflow. SAQ 
and other networks, including any 
wireless networks 
1.1.3 Current diagram that shows all Qualys enables you to have a confirmation on 
cardholder data flows across the presence of policy or procedural controls SAQ 


systems and networks 


using its survey-based workflow. 


Requirements for a firewall at each 
Internet connection and between 


Qualys enables you to have a confirmation on 
the presence of policy or procedural controls 


any demilitarized zone (DMZ) and using its survey-based workflow. ma 
the internal network zone 
1.1.5 Description of groups, roles, and Qualys enables you to have a confirmation on 
responsibilities for management of | the presence of policy or procedural controls SAQ 
network components using its survey-based workflow. 
1.1.6 Documentation of business Qualys enables you to have a confirmation on 
justification and approval for use of | the presence of policy or procedural controls 
all services, protocols, and ports using its survey-based workflow. 
allowed, including documentation SAQ 
of security features implemented Qualys also helps in asset configuration 
for those protocols considered to assessment against baseline. 
be insecure 
1.1.7 Requirement to review firewalland | Qualys enables you to have a confirmation on 
router rule sets at least every six the presence of policy or procedural controls 
months using its survey-based workflow. AQ 
1.2 Build firewall and router Qualys enables you to check for the presence 
configurations that restrict of firewalls and ensure appropriate 
connections between untrusted configurations. 
networks and any system 
components in the cardholder data 
environment 
1.2.1 Restrict inbound and outbound Qualys enables you to check for the presence 
traffic to that which is necessary for | of firewalls and ensure appropriate 
the cardholder data environment, configurations. 
and specifically deny all other 
traffic 
1.2.2 Secure and synchronize router Qualys enables you to check for the presence 
configuration files of firewalls and ensure appropriate 
configurations. 
1.2.3 Install perimeter firewalls between Qualys enables you to check for the presence 
all wireless networks and the of firewalls and ensure appropriate 
cardholder data environment, and configurations. 
configure these firewalls to deny or, 
if traffic is necessary for business 
purposes, permit only authorized 
traffic between the wireless 
environment and the cardholder 
data environment 
1.3 Prohibit direct public access Qualys enables you to have a confirmation on 
between the Internet and any the presence of policy or procedural controls SAQ 
system component in the using its survey-based workflow. 
cardholder data environment 
1.3.1 Implement a DMZ limiting inbound Qualys enables you to have a confirmation on 
traffic to system components that the presence of policy or procedural controls 
provide authorized publicly- using its survey-based workflow. SAQ 
accessible services, protocols, and 
orts 
1.3.2 Limit inbound Internet traffic to IP Qualys enables you to have a confirmation on 
addresses within the DMZ the presence of policy or procedural controls SAQ 
using its survey-based workflow. 
1.3.3 Implement anti-spoofing measures | Qualys enables you to have a confirmation on 
to detect and block forged-source the presence of policy or procedural controls 
IP addresses from entering the using its survey-based workflow. me 
network 
1.3.4 Do not allow unauthorized Qualys enables you to have a confirmation on 
outbound traffic from the the presence of policy or procedural controls SAQ 


cardholder data environment to the 
Internet 


using its survey-based workflow. 


1.3.5 


Permit only “established” 


Qualys enables you to have a confirmation on 


connections into the network the presence of policy or procedural controls SAQ 
using its survey-based workflow. 
1.3.6 Place system components that Qualys enables you to have a confirmation on 
store cardholder data (such as a the presence of policy or procedural controls 
database) in an internal network using its survey-based workflow. SAQ 
zone, segregated from the DMZ 
and other untrusted networks 
1.3.7 Do not disclose private IP Qualys enables you to have a confirmation on 
addresses and routing information the presence of policy or procedural controls SAQ 
to unauthorized parties using its survey-based workflow. 
1.4 Install personal firewall software or | Qualys enables you to remotely check for the 
equivalent functionality on any presence of personal firewalls deployed on 
portable computing devices servers, desktops, and laptops. 
(including company and/or 
employee-owned) that connect to 
the Internet when outside the 
network (for example, laptops used 
by employees), and which are also 
used to access the CDE. Firewall 
(or equivalent) configurations 
include: 
e Specific configuration settings are 
defined. 
e Personal firewall (or equivalent 
functionality) is actively running. 
e Personal firewall (or equivalent 
functionality) is not alterable by 
users of the portable computing 
devices. 
1.5 Ensure that security policies and Qualys enables you to have a confirmation on 
operational procedures for the presence of policy or procedural controls 
managing firewalls are using its survey-based workflow. Te 


Requirement 2: Do not use vendor-supplied defaults for system passwords and 


documented, in use, and known to 
all affected parties. 


Always change vendor-supplied 
defaults and remove or disable 
unnecessary default accounts 
before installing a system on the 
network. 


Qualys enables you to verify that vendor- 
provided defaults are not used by checking 
for default and system accounts on servers, 
desktops, and network devices. 


other security parameters 


2.1.1 For wireless environments Qualys can be used to verify that default 
connected to the cardholder data settings and default passwords are not used 
environment or transmitting across wireless devices connected to the 
cardholder data, change ALL wired network. 
wireless vendor defaults at 
installation, including but not limited 
to default wireless encryption keys, 
passwords, and SNMP community 
strings. 
2.2 Develop configuration standards Qualys enables you to have a confirmation on 


for all system components. Assure 
that these standards address all 
known security vulnerabilities and 
are consistent with industry- 
accepted system hardening 
standards. 


the presence of policy or procedural controls 
using its survey-based workflow. 


2.2.1 


Implement only one primary 
function per server to prevent 
functions that require different 
security levels from co-existing on 
the same server. (For example, 
web servers, database servers, 
and DNS should be implemented 
on separate servers.) 


Qualys enables you to have a confirmation on 
the presence of policy or procedural controls 
using its survey-based workflow. 


SAQ 


2.2.2 Enable only necessary services, Qualys enables you to discover systems on 
protocols, daemons, etc., as the network as well as detect network- 
required for the function of the exposed services running on the systems, 
system. significantly reducing the effort needed to 
bring the environment in compliance. 
2.2.3 Implement additional security Qualys enables you to assess whether 
features for any required services, configuration settings are accurately 
protocols, or daemons that are hardened for insecure services in the 
considered to be insecure. organization. You can also report on insecure 
protocols and daemons that are being used, 
based on security benchmarks and best 
practices. 
2.2.4 Configure system security Qualys enables you to effectively and 
parameters to prevent misuse. automatically validate if the systems are 
configured as per the organization's security 
requirements, so that misuses can be 
prevented. 
2.2.5 Remove all unnecessary Qualys enables you to discover some of the 
functionality, such as scripts, insecure and typically unnecessary 
drivers, features, subsystems, file functionalities exposed to the network, 
systems, and unnecessary web significantly reducing the effort needed to 
servers bring the environment in compliance. 
2.3 Encrypt all non-console Qualys enables you to validate that encrypted 
administrative access using strong | protocols are in use across systems and that 
cryptography unencrypted communication is not enabled 
on servers and workstations (SSH, not telnet; 
SSL, not unencrypted HTTP, etc.). 
2.4 Maintain an inventory of system Qualys enables you continuously inventory 
components that are in scope for assets, apply business criticality and risk 
PCI DSS. context, detect security gaps like 
unauthorized or EOL software, and respond 
with appropriate actions to mitigate risk. 
2.5 Ensure that security policies and Qualys enables you to have a confirmation on 
operational procedures for the presence of policy or procedural controls 
managing vendor defaults and using its survey-based workflow. SAQ 
other security parameters are 
documented, in use, and known to 
all affected parties. 
2.6 Shared hosting providers must Qualys enables you to have a confirmation on 
protect each entity’s hosted the presence of policy or procedural controls 
environment and cardholder data. using its survey-based workflow. 
These providers must meet specific 
requirements as detailed in 
Appendix A1: Additional PCI DSS 
Requirements for Shared Hosting SAQ 


Providers. 


Requirement 3: Protect stored cardholder data 


3.1 


3.2 


Keep cardholder data storage to a 
minimum by implementing data 
retention and disposal policies, 
procedures and processes that 
include at least the following for all 
cardholder data (CHD) storage: 


* Limiting data storage amount and 
retention time to that which is 
required for legal, regulatory, 
and/or business requirements 

e Specific retention requirements 
for cardholder data 

e Processes for secure deletion of 
data when no longer needed 

« A quarterly process for identifying 
and securely deleting stored 
cardholder data that exceeds 
defined retention. 

Do not store sensitive 
authentication data after 
authorization (even if encrypted). If 
sensitive authentication data is 
received, render all data 
unrecoverable upon completion of 
the authorization process 


Qualys enables you to have a confirmation on 
the presence of policy or procedural controls 
using its survey-based workflow. 


Qualys enables you to have a confirmation on 
the presence of policy or procedural controls 
using its survey-based workflow. 


SAQ 


SAQ 


3.2.1 


Do not store the full contents of any 
track (from the magnetic stripe 
located on the back of a card, 
equivalent data contained on a 
chip, or elsewhere) after 
authorization. This data is 
alternatively called full track, track, 
track 1, track 2, and magnetic- 
stripe data 


Qualys enables you to have a confirmation on 
the presence of policy or procedural controls 
using its survey-based workflow. 


SAQ 


3.2.2 


Do not store the card verification 
code or value (three-digit or four- 
digit number printed on the front or 
back of a payment card used to 
verify card-not-present 
transactions) after authorization 


Qualys enables you to have a confirmation on 
the presence of policy or procedural controls 
using its survey-based workflow. 


SAQ 


3.2.3 


Do not store the personal 
identification number (PIN) or the 
encrypted PIN block after 
authorization 


Qualys enables you to have a confirmation on 
the presence of policy or procedural controls 
using its survey-based workflow. 


SAQ 


3.3 


Mask PAN when displayed (the 
first six and last four digits are the 
maximum number of digits to be 
displayed), such that only 
personnel with a legitimate 
business need can see more than 
the first six/last four digits of the 
PAN. 


Qualys enables you to have a confirmation on 
the presence of policy or procedural controls 
using its survey-based workflow. 


SAQ 


3.4 


Render PAN unreadable anywhere 
it is stored (including on portable 
digital media, backup media, and in 
logs) by using any of the following 
approaches: 


Qualys enables you to confirm use of 
encryption across PCI systems in scope by 
checking relevant system configuration 
settings. 


* One-way hashes based on strong 
cryptography, (hash must be of the 
entire PAN) 

e Truncation (hashing cannot be 
used to replace the truncated 
segment of PAN) 

e Index tokens and pads (pads 
must be securely stored) 

e Strong cryptography with 
associated key-management 


3.4.1 


If disk encryption is used (rather 
than file- or column-level database 
encryption), logical access must be 
managed separately and 
independently of native operating 
system authentication and access 
control mechanisms (for example, 
by not using local user account 
databases or general network login 
credentials). Decryption keys must 
not be associated with user 
accounts 


Qualys enables you to have a confirmation on 
the presence of policy or procedural controls 
using its survey-based workflow. 


SAQ 


3.5 


Document and implement 
procedures to protect keys used to 
secure stored cardholder data 
against disclosure and misuse: 


Qualys enables you to validate security 
settings required for the protection of system 
encryption keys. 


SAQ 


3.5.1 


Additional requirement for service 
providers only: Maintain a 
documented description of the 
cryptographic architecture that 
includes: 


Qualys enables you to have a confirmation on 
the presence of policy or procedural controls 
using its survey-based workflow. 


SAQ 


3.5.2 


3.5.3 


Restrict access to cryptographic 
keys to the fewest number of 
custodians necessary 


Store secret and private keys used 
to encrypt/decrypt cardholder data 
in one (or more) of the following 
forms at all times: 

e Encrypted with a key-encrypting 
key that is at least as strong as the 
data-encrypting key, and that is 
stored separately from the data- 
encrypting key 

e Within a secure cryptographic 
device (such as a hardware (host) 
security module (HSM) or PTS- 
approved point-of-interaction 
device) 

* As at least two full-length key 
components or key shares, in 
accordance with an industry- 
accepted method 


Qualys enables you to have a confirmation on 
the presence of policy or procedural controls 
using its survey-based workflow. 


Qualys enables you to have a confirmation on 
the presence of policy or procedural controls 
using its survey-based workflow. 


SAQ 


SAQ 


3.5.4 


Store cryptographic keys in the 
fewest possible locations 


Qualys enables you to have a confirmation on 
the presence of policy or procedural controls 
using its survey-based workflow. 


SAQ 


3.6 Fully document and implement all Qualys enables you to have a confirmation on 
key-management processes and the presence of policy or procedural controls 
procedures for cryptographic keys using its survey-based workflow. 
used for encryption of cardholder 
data, including the following: 
3.6.1 Generation of strong cryptographic | Qualys enables you to have a confirmation on 
keys the presence of policy or procedural controls 
using its survey-based workflow. 
3.6.2 Secure cryptographic key Qualys enables you to have a confirmation on 
distribution the presence of policy or procedural controls SAQ 
using its survey-based workflow. 
3.6.3 Secure cryptographic key storage Qualys enables you to have a confirmation on 
the presence of policy or procedural controls SAQ 
using its survey-based workflow. 
3.6.4 Cryptographic key changes for Qualys enables you to have a confirmation on 
keys that have reached the end of the presence of policy or procedural controls 
their cryptoperiod (for example, using its survey-based workflow. 
after a defined period of time has 
passed and/or after a certain 
amount of cipher-text has been Xe] 
produced by a given key), as 
defined by the associated 
application vendor or key owner, 
and based on industry best 
practices and guidelines (for 
example, NIST Special Publication 
800-57) 
3.6.5 Retirement or replacement (for Qualys enables you to have a confirmation on 
example, archiving, destruction, the presence of policy or procedural controls 
and/or revocation) of keys as using its survey-based workflow. 
deemed necessary when the 
integrity of the key has been 
weakened (for example, departure W 
of an employee with knowledge of 
a clear-text key component), or 
keys are suspected of being 
compromised 
3.6.6 If manual clear-text cryptographic Qualys enables you to have a confirmation on 
key-management operations are the presence of policy or procedural controls 
used, these operations must be using its survey-based workflow. SAQ 
managed using split knowledge 
and dual control 
3.6.7 Prevention of unauthorized Qualys enables you to have a confirmation on 
substitution of cryptographic keys the presence of policy or procedural controls SAQ 
using its survey-based workflow. 
3.6.8 Requirement for cryptographic key | Qualys enables you to have a confirmation on 
custodians to formally the presence of policy or procedural controls SAQ 
acknowledge that they understand using its survey-based workflow. 
and accept their key-custodian 
responsibilities 
3.7 Ensure that security policies and Qualys enables you to have a confirmation on 
operational procedures for the presence of policy or procedural controls 
protecting stored cardholder data using its survey-based workflow. 
are documented, in use, and 
known to all affected parties. SAQ 


Requirement 4: Encrypt transmission of cardholder data across open, public networks 


cardholder data are documented, 
in use, and known to all affected 
parties 


Requirement 5: Use and regularly upda 


te anti-virus software or programs 


4.1 Use strong cryptography and Qualys enables you to validate the use of 
security protocols to safeguard strong cryptographic protocols by checking 
sensitive cardholder data during relevant system configuration settings as well 
transmission over open, public as detect instances of insecure cipher used 
networks, including the following: across the systems that are in scope for 
assessments. 
4.1.1 Ensure wireless networks Qualys enables you to detect wireless access 
transmitting cardholder data or points from within the network and validate 
connected to the cardholder data the use of appropriate encryptions across the 
environment use industry best access points. 
practices to implement strong 
encryption for authentication and 
transmission 
4.2 Never send unprotected PANs by Qualys enables you to have a confirmation on 
end-user messaging technologies the presence of policy or procedural controls SAQ 
(for example, e-mail, instant using its survey-based workflow. 
messaging, SMS, chat, etc.) 
4.3 Ensure that security policies and Qualys enables you to have a confirmation on 
operational procedures for the presence of policy or procedural controls 
encrypting transmissions of using its survey-based workflow. SAQ 


are actively running and cannot be 
disabled or altered by users, unless 
specifically authorized by 
management on a case-by-case 
basis for a limited time period. 


status of the installed anti-virus tools. 


Qualys helps you in automatically detecting 
unknown or unmanaged devices and 
software, critical vulnerabilities, 


5.1 Deploy anti-virus software on all Qualys enables you to validate whether an 

systems commonly affected by anti-virus software is installed on the systems 

malicious software (particularly that are in scope for assessments. 

personal computers and servers) 
5.1.1 Ensure that anti-virus programs are | Qualys enables you to validate whether the 

capable of detecting, removing, installed anti-virus mechanisms are up-to- 

and protecting against all known date, perform regular system scans, and 

types of malicious software generate logs. 
5.1.2 For systems considered to be not Qualys enables you to have a confirmation on 

commonly affected by malicious the presence of policy or procedural controls 

software, perform periodic using its survey-based workflow. 

evaluations to identify and evaluate EV 

evolving malware threats in order 

to confirm whether such systems 

continue to not require anti-virus 

software 
5.2 Ensure that all anti-virus Qualys enables you to validate whether the 

mechanisms are maintained as installed anti-virus mechanisms are up-to- 

follows: date, perform regular system scans, and 

generate logs. 

* Are kept current, Helps identify critical vulnerabilities, EDR 

e Perform periodic scans misconfigurations, malware and suspicious 

* Generate audit logs which are activity on all endpoints, and stop stealthy 

retained per PCI DSS Requirement | attacks and breaches. 

10.7. 
5.3 Ensure that anti-virus mechanisms | Qualys enables you to check for the current 


misconfigurations, malware and suspicious 
activity on all endpoints, and stop stealthy 
attacks and breaches. 


5.4 


Ensure that security policies and 
operational procedures for 
protecting systems against 
malware are documented, in use, 
and known to all affected parties 


Qualys enables you to have a confirmation on 
the presence of policy or procedural controls 
using its survey-based workflow. 


SAQ 


Requirement 6: Develop and maintain secure systems and applications 


code-review techniques and secure 
coding practices. 

* Code reviews ensure code is 
developed according to secure 
coding guidelines 

e Appropriate corrections are 
implemented prior to release. 

e Code-review results are reviewed 
and approved by management 
prior to release. 


6.1 Establish a process to identify Qualys’ vulnerability management solution 
security vulnerabilities, using VMDR lets you scan systems, identify and 
reputable outside sources for prioritize vulnerabilities on the basis of their 
security vulnerability information, criticality and implement remediation | was | 
and assign a risk ranking (for measures. 
example, as “high,” “medium,” or 
“low”) to newly discovered security 
vulnerabilities 
6.2 Ensure that all system components | Qualys enables you to detect missing OS and 
and software are protected from application patches and security updates. 
known vulnerabilities by installing Qualys VMDR is constantly updated with new 
applicable vendor-supplied security | vulnerability information and can be used ina 
patches. Install critical security process of tracking newly-discovered (Pm | 
patches within one month of vulnerabilities, prioritization as well as 
release remediation with patch management. 
6.3 Develop internal and external Qualys enables you to have a confirmation on 
software applications (including the presence of policy or procedural controls 
web-based administrative access using its survey-based workflow. Sak 
to applications) securely, as 
follows: 
6.3.1 Remove development, test and/or Qualys enables you to have a confirmation on 
custom application accounts, user the presence of policy or procedural controls SAQ 
IDs, and passwords before using its survey-based workflow. 
applications become active or are 
released to customers 
6.3.2 Review custom code prior to Qualys enables you to have a confirmation on 
release to production or customers | the presence of policy or procedural controls 
in order to identify any potential using its survey-based workflow. 
coding vulnerability (using either 
manual or automated processes) to 
include at least the following: 
* Code changes are reviewed by 
individuals other than the 
originating code author, and by 
individuals knowledgeable about an 


6.4 


Follow change control processes 
and procedures for all changes to 


Qualys enables you to have a confirmation on 
the presence of policy or procedural controls 


system components. The using its survey-based workflow. SAQ 
processes must include the 
following: 
6.4.1 Separate development/test Qualys enables you to have a confirmation on 
environments from production the presence of policy or procedural controls 
environments and enforce the using its survey-based workflow. Sag 
separation with access controls. 
6.4.2 Separation of duties between Qualys enables you to have a confirmation on 
development/test and production the presence of policy or procedural controls SAQ 
environments using its survey-based workflow. 
6.4.3 Production data (live PANs) are not | Qualys enables you to have a confirmation on 
used for testing or development the presence of policy or procedural controls SAQ 
using its survey-based workflow. 
6.4.4 Removal of test data and accounts | Qualys enables you to have a confirmation on 
from system components before the presence of policy or procedural controls 
the system becomes active/goes using its survey-based workflow. 
into production 
6.4.5 Change control procedures must Qualys enables you to have a confirmation on 
include the following: the presence of policy or procedural controls SAQ 
using its survey-based workflow. 
6.4.5.1 Documentation of impact Qualys enables you to have a confirmation on 
the presence of policy or procedural controls SAQ 
using its survey-based workflow. 
6.4.5.2 Documented change approval by Qualys enables you to have a confirmation on 
authorized parties the presence of policy or procedural controls 
using its survey-based workflow. 
6.4.5.3 Functionality testing to verify that Qualys enables you to have a confirmation on 
the change does not adversely the presence of policy or procedural controls SAQ 
impact the security of the system using its survey-based workflow. 
6.4.5.4 Back-out procedures. Qualys enables you to have a confirmation on 
the presence of policy or procedural controls SAQ 
using its survey-based workflow. 
6.4.6 Upon completion of a significant Qualys enables you to have a confirmation on 
change, all relevant PCI DSS the presence of policy or procedural controls 
requirements must be implemented | using its survey-based workflow. SAQ 
on all new or changed systems and 
networks, and documentation 
updated as applicable 
6.5 Address common coding Qualys enables you to have a confirmation on 
vulnerabilities in software- the presence of policy or procedural controls 
development processes as follows: | using its survey-based workflow. 
* Train developers at least annually SAQ 
in up-to-date secure coding 
techniques, including how to avoid 
common coding vulnerabilities. 
e Develop applications based on 
secure coding guidelines. 
6.5.1 Injection flaws, particularly SQL Qualys VMDR is constantly updated with new 
injection. Also consider OS vulnerability information and can be used ina 
Command Injection, LDAP and continuous process of tracking new 
XPath injection flaws as well as vulnerabilities, prioritizing asset security and 
other injection flaws undertaking remediation. 
6.5.2 Buffer overflows Qualys VMDR is constantly updated with new 


vulnerability information and can be used ina 
continuous process of tracking new 


VMDR 


vulnerabilities, prioritizing asset security and 
undertaking remediation. 


6.5.3 


Insecure cryptographic storage 


Qualys VMDR is constantly updated with new 
vulnerability information and can be used ina 
continuous process of tracking new 
vulnerabilities, prioritizing asset security and 
undertaking remediation. 


VMDR SAQ 


6.5.4 


Insecure communications 


Qualys VMDR is constantly updated with new 
vulnerability information and can be used ina 
continuous process of tracking new 
vulnerabilities, prioritizing asset security and 
undertaking remediation. 


VMDR 


6.5.5 


Improper error handling 


Qualys enables you to have a confirmation on 
the presence of policy or procedural controls 
using its survey-based workflow. 


SAQ 


6.5.6 


All “high risk” vulnerabilities 
identified in the vulnerability 
identification process (as defined in 
PCI DSS Requirement 6.1) 


Qualys VMDR is constantly updated with new 
vulnerability information and can be used ina 
continuous process of tracking new 
vulnerabilities, prioritizing asset security and 
undertaking remediation. vulnerabilities, 
prioritization as well as remediation 


VMDR 


6.5.7 


Cross-site scripting (XSS) 


Qualys VMDR is constantly updated with new 
vulnerability information and can be used ina 
continuous process of tracking new 
vulnerabilities, prioritizing asset security and 
undertaking remediation. 


VMDR 


6.5.8 


Improper access control (such as 
insecure direct object references, 
failure to restrict URL access, 
directory traversal, and failure to 
restrict user access to functions) 


Qualys VMDR is constantly updated with new 
vulnerability information and can be used ina 
continuous process of tracking new 
vulnerabilities, prioritizing asset security and 
undertaking remediation. 


VMDR 


6.5.9 


6.5.10 


Cross-site request forgery (CSRF) 


Broken authentication and session 
management 


Qualys VMDR is constantly updated with new 
vulnerability information and can be used ina 
continuous process of tracking new 
vulnerabilities, prioritizing asset security and 
undertaking remediation. 

Qualys VMDR is constantly updated with new 
vulnerability information and can be used ina 
continuous process of tracking new 
vulnerabilities, prioritizing asset security and 
undertaking remediation. 


VMDR 


VMDR 


6.6 


For public-facing web applications, 
address new threats and 
vulnerabilities on an ongoing basis 
and ensure these applications are 
protected against known attacks by 
either of the following methods: 


* Reviewing public-facing web 
applications via manual or 
automated application vulnerability 
security assessment tools or 
methods, at least annually and 
after any changes 

* Installing an automated technical 
solution that detects and prevents 
web-based attacks (for example, a 
web-application firewall) in front of 


Qualys WAS crawls your web applications to 
analyze threats. It reports and prioritizes the 
actions that you need to take for remediation. 


public-facing web applications, to 
continually check all traffic. 


6.7 


Ensure that security policies and 
operational procedures for 
developing and maintaining secure 
systems and applications are 
documented, in use, and known to 
all affected parties. 


Qualys enables you to have a confirmation on 
the presence of policy or procedural controls 
using its survey-based workflow. 


Requirement 7: Restrict access to cardholder data by business need to know 


SAQ 


7.1 Limit access to system Qualys can analyze database user rights and 
components and cardholder data to | permissions, looking for broad and insecure 
only those individuals whose job permissions. 
requires such access 
7.1.1 Define access needs for each role, | Qualys enables you to have a confirmation on 
including: the presence of policy or procedural controls SAQ 
as well as to assess an asset’s configuration 
compliance status. 
7.1.2 Restrict access to privileged user Qualys enables you to have a confirmation on 
IDs to least privileges necessary to | the presence of policy or procedural controls SAQ 
perform job responsibilities as well as to assess an asset’s configuration 
compliance status. 
7.1.3 Assign access based on individual | Qualys enables you to have a confirmation on 
personnel’s job classification and the presence of policy or procedural controls 
function as well as to assess an asset’s configuration 
compliance status. 
7.1.4 Require documented approval by Qualys enables you to have a confirmation on 
authorized parties specifying the presence of policy or procedural controls SAQ 
required privileges as well as to assess an asset’s configuration 
compliance status. 
7.2 Establish an access control Qualys enables you to have a confirmation on 
system(s) for system components the presence of policy or procedural controls 
that restricts access based ona as well as to assess an asset’s configuration SAQ 
user’s need to know, and is set to compliance status. 
“deny all” unless specifically 
allowed 
7.2.1 Coverage of all system Qualys enables you to have a confirmation on 
components the presence of policy or procedural controls SAQ 
as well as to assess as asset’s configuration 
compliance status. 
7.2.2 Assignment of privileges to Qualys enables you to have a confirmation on 
individuals based on job the presence of policy or procedural controls 
classification and function as well as to assess an asset’s configuration 
compliance status. 
7.2.3 Default “deny-all” setting Qualys enables you to have a confirmation on 
the presence of policy or procedural controls SAQ 
as well as to assess an asset’s configuration 
compliance status. 
7.3 Ensure that security policies and Qualys enables you to have a confirmation on 


operational procedures for 
restricting access to cardholder 
data are documented, in use, and 
known to all affected parties 


the presence of policy or procedural controls 
using its survey-based workflow. 


SAQ 


Requirement 8: Assign a unique ID to each person with computer access 


8.1 Define and implement policies and | Qualys enables you to have a confirmation on 
procedures to ensure proper user the presence of policy or procedural controls 
identification management for non- | using its survey-based workflow. SAQ 
consumer users and administrators 
on all system components as 
follows: 
8.1.1 Assign all users a unique ID before | Qualys enables you to have a confirmation on 
allowing them to access system the presence of policy or procedural controls SAQ 
components or cardholder data using its survey-based workflow. 
8.1.2 Control addition, deletion, and Qualys enables you to have a confirmation on 
modification of user IDs, the presence of policy or procedural controls 
credentials, and other identifier using its survey-based workflow. SAQ 
objects 
8.1.3 Immediately revoke access for any | Qualys enables you to have a confirmation on 
terminated users the presence of policy or procedural controls SAQ 
using its survey-based workflow. 
8.1.4 Remove/disable inactive user Qualys enables you to verify system 
accounts within 90 days configurations as per your organization’s 
security requirements. 
8.1.5 Manage IDs used by third parties Qualys enables you to have a confirmation on 
to access, support, or maintain the presence of policy or procedural controls SAQ 
system components via remote using its survey-based workflow. 
access as follows: 
* Enabled only during the time 
period needed and disabled when 
not in use. 
e Monitored when in use. 
8.1.6 Limit repeated access attempts by Qualys enables you to verify system 
locking out the user ID after not configurations as per your organization’s 
more than six attempts security requirements. 
8.1.7 Set the lockout duration to a Qualys enables you to verify system 
minimum of 30 minutes or untilan | configurations as per your organization’s 
administrator enables the user ID security requirements. 
8.1.8 If a session has been idle for more | Qualys enables you to verify system 
than 15 minutes, require the user configurations as per your organization's 
to re-authenticate to re-activate the | security requirements. 
terminal or session 
8.2 In addition to assigning a unique Qualys enables you to detect user accounts 
ID, ensure proper user- with inappropriate authentication settings, 
authentication management for such as accounts with no passwords or with 
non-consumer users and blank passwords. 
administrators on all system 
components by employing at least 
one of the following methods to 
authenticate all users: 
8.2.1 Using strong cryptography, render Qualys enables you to detect 
all authentication credentials (such | misconfigurations in system settings to 
as passwords/phrases) unreadable | ensure that credentials are properly 
during transmission and storage on | encrypted. 
all system components 
8.2.2 Verify user identity before Qualys enables you to have a confirmation on 
modifying any authentication the presence of policy or procedural controls 
credential—for example, using its survey-based workflow. 
performing password resets, SAQ 
provisioning new tokens, or 
generating new keys 


8.2.3 


Passwords/passphrases must 
meet the following: 


e Require a minimum length of at 
least seven characters. 

* Contain both numeric and 
alphabetic characters. 


Qualys enables you to verify system 
configurations as per your organization’s 
security requirements. 


8.2.4 Change user Qualys enables you to verify system 
passwords/passphrases at least configurations as per your organization’s 
once every 90 days. security requirements. 
8.2.5 Do not allow an individual to submit | Qualys enables you to verify system 
a new password/passphrase that is | configurations as per your organization’s 
the same as any of the last four security requirements. 
passwords/passphrases he or she 
has used 
8.2.6 Set passwords/passphrases for Qualys enables you to verify system 
first-time use and upon reset to a configurations as per your organization’s 
unique value for each user, and security requirements. 
change immediately after the first 
use. 
8.3 Secure all individual non-console Qualys enables you to verify system 
administrative access and all configurations as per your organization’s 
remote access to the CDE using security requirements. 
multi-factor authentication 
8.3.1 Incorporate multi-factor Qualys enables you to verify system 
authentication for all non-console configurations as per your organization’s | cv | 
. $ : CV 
access into the CDE for personnel | security requirements. 
with administrative access 
8.3.2 Incorporate multi-factor Qualys enables you to verify system 
authentication for all remote configurations as per your organization’s 
network access (both user and security requirements. 
administrator, and including third 
party access for support or 
maintenance) originating from 
outside the entity's network 
8.4 Document and communicate Qualys enables you to have a confirmation on 
authentication policies and the presence of policy or procedural controls 
procedures to all users including: using its survey-based workflow. 
* Guidance on selecting strong 
authentication credentials 
e Guidance for how users should 
protect their authentication Saq 
credentials 
e Instructions not to reuse 
previously used passwords 
e Instructions to change passwords 
if there is any suspicion the 
password could be compromised. 
8.5 Do not use group, shared, or Qualys enables you to verify system 


generic IDs, passwords, or other 
authentication methods as follows: 


configurations as per your organization’s 
security requirements. 


8.5.1 


Additional requirement for service 
providers only: Service providers 
with remote access to customer 
premises (for example, for support 
of POS systems or servers) must 
use a unique authentication 
credential (such as a 
password/phrase) for each 
customer 


Qualys enables you to verify system 
configurations as per your organization’s 
security requirements. 


8.6 


Where other authentication 
mechanisms are used (for 
example, physical or logical 
security tokens, smart cards, 
certificates, etc.), use of these 
mechanisms must be assigned as 
follows: 


e Generic user IDs are disabled or 
removed. 

e Shared user IDs do not exist for 
system administration and other 
critical functions. 

e Shared and generic user IDs are 
not used to administer any system 
components. 


Qualys enables you to have a confirmation on 
the presence of policy or procedural controls 
using its survey-based workflow. 


SAQ 


8.7 


All access to any database 
containing cardholder data 
(including access by applications, 
administrators, and all other users) 
is restricted as follows: 


* All user access to, user queries 
of, and user actions on databases 
are through programmatic 
methods. 

e Only database administrators 
have the ability to directly access 
or query databases. 

e Application IDs for database 
applications can only be used by 
the applications (and not by 
individual users or other non- 
application processes). 


Qualys can be used to validate an extensive 
set of user account security settings and 
password security parameters across 
systems. 


8.8 


9.1 


Ensure that security policies and 
operational procedures for 
identification and authentication are 
documented, in use, and known to 
all affected parties 


Use appropriate facility entry 
controls to limit and monitor 
physical access to systems in the 
cardholder data environment 


Qualys enables you to have a confirmation on 
the presence of policy or procedural controls 
using its survey-based workflow. 


Qualys enables you to have a confirmation on 
the presence of policy or procedural controls 
using its survey-based workflow. 


SAQ 


Requirement 9: Restrict physical access to cardholder data 


SAQ 


9.1.1 Use either video cameras or Qualys enables you to have a confirmation on 
access control mechanisms (or the presence of policy or procedural controls 
both) to monitor individual physical | using its survey-based workflow. 
access to sensitive areas. Review 
collected data and correlate with SAQ 
other entries. Store for at least 
three months, unless otherwise 
restricted by law 
9.1.2 Implement physical and/or logical Qualys enables you to have a confirmation on 
controls to restrict access to the presence of policy or procedural controls SAQ 
publicly accessible network jacks using its survey-based workflow. 
9.1.3 Restrict physical access to wireless | Qualys enables you to have a confirmation on 
access points, gateways, handheld | the presence of policy or procedural controls 
devices, using its survey-based workflow. 
networking/communications SAQ 
hardware, and telecommunication 
lines 
9.2 Develop procedures to easily Qualys enables you to have a confirmation on 
distinguish between onsite the presence of policy or procedural controls 
personnel and visitors, to include: using its survey-based workflow. 
* Identifying onsite personnel and 
visitors (for example, assigning ee 
badges) 
e Changes to access requirements 
e Revoking or terminating onsite 
personnel and expired visitor 
identification (such as ID badges). 
9.3 Control physical access for onsite Qualys enables you to have a confirmation on 
personnel to sensitive areas as the presence of policy or procedural controls 
follows: using its survey-based workflow. 
e Access must be authorized and 
based on individual job function. SAQ 
e Access is revoked immediately 
upon termination, and all physical 
access mechanisms, such as keys, 
access cards, etc., are returned or 
disabled. 
9.4 Implement procedures to identify Qualys enables you to have a confirmation on 
and authorize visitors the presence of policy or procedural controls SAQ 
using its survey-based workflow. 
9.4.1 Visitors are authorized before Qualys enables you to have a confirmation on 
entering, and escorted at all times the presence of policy or procedural controls 
within, areas where cardholder using its survey-based workflow. =e 
data is processed or maintained 
9.4.2 Visitors are identified and given a Qualys enables you to have a confirmation on 
badge or other identification that the presence of policy or procedural controls 
expires and that visibly using its survey-based workflow. SAQ 
distinguishes the visitors from 
onsite personnel 
9.4.3 Visitors are asked to surrender the | Qualys enables you to have a confirmation on 
badge or identification before the presence of policy or procedural controls SAQ 


leaving the facility or at the date of 
expiration 


using its survey-based workflow. 


9.4.4 


A visitor log is used to maintain a 
physical audit trail of visitor activity 
to the facility as well as computer 


Qualys enables you to have a confirmation on 
the presence of policy or procedural controls 
using its survey-based workflow. 


rooms and data centers where SAQ 
cardholder data is stored or 
transmitted 
9.5 Physically secure all media. Qualys enables you to have a confirmation on 
the presence of policy or procedural controls SAQ 
using its survey-based workflow. 
9.5.1 Store media backups in a secure Qualys enables you to have a confirmation on 
location, preferably an off-site the presence of policy or procedural controls 
facility, such as an alternate or using its survey-based workflow. 
backup site, or a commercial 
storage facility. Review the 
location’s security at least annually 
9.6 Maintain strict control over the Qualys enables you to have a confirmation on 
internal or external distribution of the presence of policy or procedural controls SAQ 
any kind of media, including the using its survey-based workflow. 
following: 
9.6.1 Classify media so the sensitivity of | Qualys enables you to have a confirmation on 
the data can be determined the presence of policy or procedural controls SAQ 
using its survey-based workflow. 
9.6.2 Send the media by secured courier | Qualys enables you to have a confirmation on 
or other delivery method that can the presence of policy or procedural controls SAQ 
be accurately tracked using its survey-based workflow. 
9.6.3 Ensure management approve any Qualys enables you to have a confirmation on 
and all media that is moved froma | the presence of policy or procedural controls 
secured area (including when using its survey-based workflow. SAQ 
media is distributed to individuals) 
9.7 Maintain strict control over the Qualys enables you to have a confirmation on 
storage and accessibility of media the presence of policy or procedural controls SAQ 
using its survey-based workflow. 
9.7.1 Properly maintain inventory logs of | Qualys enables you to have a confirmation on 
all media and conduct media the presence of policy or procedural controls SAQ 
inventories at least annually using its survey-based workflow. 
9.8 Destroy media when it is no longer | Qualys enables you to have a confirmation on 
needed for business or legal the presence of policy or procedural controls SAQ 
reasons as follows: using its survey-based workflow. 
9.8.1 Shred, incinerate, or pulp hard- Qualys enables you to have a confirmation on 
copy materials so that cardholder the presence of policy or procedural controls 
data cannot be reconstructed. using its survey-based workflow. SAQ 
Secure storage containers used for 
materials that are to be destroyed 
9.8.2 Render cardholder data on Qualys enables you to have a confirmation on 
electronic media unrecoverable so | the presence of policy or procedural controls 
that cardholder data cannot be using its survey-based workflow. SAQ 
reconstructed 
9.9 Protect devices that capture Qualys enables you to have a confirmation on 
payment card data via direct the presence of policy or procedural controls 
physical interaction with the card using its survey-based workflow. aag 
from tampering and substitution. 
9.9.1 Maintain an up-to-date list of Qualys enables you to automate asset 


devices. The list should include the 
following: 


¢ Make, model of device 


detection and inventory management work. 
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e Location of device (for example, 
the address of the site or facility 
where the device is located) 

e Device serial number or other 
method of unique identification. 


9.9.2 


Periodically inspect device 
surfaces to detect tampering (for 
example, addition of card skimmers 
to devices), or substitution (for 
example, by checking the serial 
number or other device 
characteristics to verify it has not 
been swapped with a fraudulent 
device) 


Qualys enables you to have a confirmation on 
the presence of policy or procedural controls 
using its survey-based workflow. 


SAQ 


9.9.3 


Provide training for personnel to be 
aware of attempted tampering or 
replacement of devices. Training 
should include the following: 


e Verify the identity of any third- 
party persons claiming to be repair 
or maintenance personnel, prior to 
granting them access to modify or 
troubleshoot devices. 

e Do not install, replace, or return 
devices without verification. 

e Be aware of suspicious behavior 
around devices (for example, 
attempts by unknown persons to 
unplug or open devices). 

e Report suspicious behavior and 
indications of device tampering or 
substitution to appropriate 
personnel (for example, to a 
manager or security officer). 


Qualys enables you to have a confirmation on 
the presence of policy or procedural controls 
using its survey-based workflow. 


SAQ 


9.10 


Ensure that security policies and 
operational procedures for 
restricting physical access to 
cardholder data are documented, 
in use, and known to all affected 
parties 


Qualys enables you to have a confirmation on 
the presence of policy or procedural controls 
using its survey-based workflow. 


SAQ 


Requirement 10: Track and monitor all access to network resources and cardholder data 


with root or administrative 


configurations as per your organization’s 


PC 


CV 


10.1 Implement audit trails to link all Qualys enables you to verify system 
access to system components of configurations as per your organization’s 
each individual user. security requirements. 

10.2 Implement automated audit trails Qualys enables you to verify system 
for all system components to configurations as per your organization’s 
reconstruct the following events: security requirements. 

10.2.1 All individual user accesses to Qualys enables you to verify system 
cardholder data configurations as per your organization’s 

security requirements. 
10.2.2 All actions taken by any individual Qualys enables you to verify system E 


privileges 


security requirements. 


10.2.3 


Access to all audit trails 


Qualys enables you to verify system 
configurations as per your organization’s 
security requirements. 


10.2.4 Invalid logical access attempts Qualys enables you to verify system 
configurations as per your organization’s 
security requirements. 
10.2.5 Use of and changes to identification | Qualys enables you to verify system 
and authentication mechanisms— | configurations as per your organization’s 
including but not limited to creation | security requirements. ca 
of new accounts and elevation of 
privileges—and all changes, 
additions, or deletions to accounts 
with root or administrative privileges 
10.2.6 Initialization, stopping, or pausing Qualys enables you to verify system 
of the audit logs configurations as per your organization’s 
security requirements. 
10.2.7 Creation and deletion of system- Qualys enables you to verify system 
level objects configurations as per your organization’s 
security requirements. 
10.3 Record at least the following audit Qualys enables you to verify system 
trail entries for all system configurations as per your organization’s 
components for each event: security requirements. 
10.3.1 User identification Qualys enables you to verify system 
configurations as per your organization’s 
security requirements. 
10.3.2 Type of event Qualys enables you to verify system 
configurations as per your organization’s 
security requirements. 
10.3.3 Date and time Qualys enables you to verify system 
configurations as per your organization’s 
security requirements. 
10.3.4 Success or failure indication Qualys enables you to verify system 
configurations as per your organization’s 
security requirements. 
10.3.5 Origination of event Qualys enables you to verify system 
configurations as per your organization’s 
security requirements. 
10.3.6 Identity or name of affected data, Qualys enables you to verify system 
system component, or resource configurations as per your organization’s 
security requirements. 
10.4 Using time-synchronization Qualys logs and audit trails are time-stamped 
technology, synchronize all critical and synchronized to ensure appropriate 
system clocks and times and logging of events. 
ensure that the following is 
implemented for acquiring, 
distributing, and storing time: 
10.4.1 Critical systems have the correct Qualys enables you to validate if the systems 
and consistent time are pointing to the correct NTP server. 
10.4.2 Time data is protected Qualys enables you to verify system 
configurations as per your organization’s 
security requirements. 
10.4.3 Time settings are received from Qualys enables you to validate if the systems 
industry-accepted time sources are pointing to the correct NTP server. 
10.5 Secure audit trails so they cannot Qualys enables you to verify system access. Pc | Fev | 


be altered 
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10.5.1 


Limit viewing of audit trails to those 


Qualys enables you to have a confirmation on 


with a job-related need the presence of policy or procedural controls aa 
using its survey-based workflow. 
10.5.2 Protect audit trail files from Qualys enables you to have a confirmation on 
unauthorized modifications the presence of policy or procedural controls SAQ 
using its survey-based workflow. 
10.5.3 Promptly back up audit trail files to Qualys enables you to have a confirmation on 
a centralized log server or media the presence of policy or procedural controls SAQ 
that is difficult to alter using its survey-based workflow. 
10.5.4 Write logs for external-facing Qualys enables you to have a confirmation on 
technologies onto a secure, the presence of policy or procedural controls 
centralized, internal log server or using its survey-based workflow. 
media device 
10.5.5 Use file-integrity monitoring or Qualys enables you to detect any 
change-detection software on logs | unauthorized changes made in system or 
to ensure that existing log data critical files. 
cannot be changed without 
generating alerts (although new 
data being added should not cause 
an alert) 
10.6 Review logs and security events for | Qualys enables you to have a confirmation on 
all system components to identify the presence of policy or procedural controls SAQ 
anomalies or suspicious activity using its survey-based workflow. 
10.6.1 Review the following at least daily: Qualys enables you to have a confirmation on 
the presence of policy or procedural controls 
N using its survey-based workflow. 
* All security events 
e Logs of all system components 
that store, process, or transmit 
CHD and/or SAD et 
e Logs of all critical system 
components 
e Logs of all servers and system 
components that perform security 
functions 
10.6.2 Review logs of all other system Qualys enables you to have a confirmation on 
components periodically based on the presence of policy or procedural controls 
the organization’s policies and risk | using its survey-based workflow. SAQ 
management strategy, as 
determined by the organization’s 
annual risk assessment. 
10.6.3 Follow up exceptions and Qualys enables you to have a confirmation on 
anomalies identified during the the presence of policy or procedural controls SAQ 
review process using its survey-based workflow. 
10.7 Retain audit trail history for at least | Qualys enables you to have a confirmation on 
one year, with a minimum of three the presence of policy or procedural controls 
months immediately available for using its survey-based workflow. SAQ 
analysis (for example, online, 
archived, or restorable from 
backup) 
10.8 Additional requirement for service Qualys enables you to have a confirmation on 
providers only: Implement a the presence of policy or procedural controls 
process for the timely detection using its survey-based workflow. 
and reporting of failures of critical 
security control systems, including SAQ 


but not limited to failure of: 


e Firewalls 
* IDS/IPS 


e FIM 

+ Anti-virus 

e Physical access controls 

e Logical access controls 

e Audit logging mechanisms 

e Segmentation controls (if used) 


10.8.1 


Additional requirement for service 
providers only: Respond to failures 
of any critical security controls in a 
timely manner. Processes for 
responding to failures in security 
controls must include: 


* Restoring security functions 

e Identifying and documenting the 
duration (date and time start to 
end) of the security failure 

e Identifying and documenting 
cause(s) of failure, including root 
cause, and documenting 
remediation required to address 
root cause 

e Identifying and addressing any 
security issues that arose during 
the failure 

e Performing a risk assessment to 
determine whether further actions 
are required as a result of the 
security failure 

e Implementing controls to prevent 
cause of failure from reoccurring 

e Resuming monitoring of security 
controls 


Qualys enables you to have a confirmation on 
the presence of policy or procedural controls 
using its survey-based workflow. 


SAQ 


10.9 


Ensure that security policies and 
operational procedures for 
monitoring all access to network 
resources and cardholder data are 
documented, in use, and known to 
all affected parties. 


Qualys enables you to have a confirmation on 
the presence of policy or procedural controls 
using its survey-based workflow. 


SAQ 


Requirement 11: Regularly test security systems and processes 


procedures in the event 
unauthorized wireless access 
points are detected 


the presence of policy or procedural controls 
using its survey-based workflow. 


11.1 Implement processes to test for the | Qualys enables you to scan for vulnerabilities 
presence of wireless access points | from inside and outside of your network. Also 
(802.11) and detect and identify all | helps in prioritization and remediation of 
authorized and unauthorized vulnerabilities. 
wireless access points ona 
quarterly basis 
11.1.1 Maintain an inventory of authorized | Qualys enables you to automate asset 
wireless access points including a detection and inventory management work. 
documented business justification 
11.1.2 Implement incident response Qualys enables you to have a confirmation on 


SAQ 


11.2 Run internal and external network Qualys enables you to scan for vulnerabilities 
vulnerability scans at least from inside and outside of your network. Also 
quarterly and after any significant helps in prioritization and remediation of 
change in the network (such as vulnerabilities. 
new system component 
installations, changes in network 
topology, firewall rule 
modifications, product upgrades) 
11.2.1 Perform quarterly internal Qualys enables you to scan for vulnerabilities 
vulnerability scans. Address from inside and outside of your network. Also 
vulnerabilities and perform rescans | helps in prioritization and remediation of 
to verify all “high risk” vulnerabilities. 
vulnerabilities are resolved in 
accordance with the entity’s 
vulnerability ranking (per 
Requirement 6.1). Scans must be 
performed by qualified personnel 
11.2.2 Perform quarterly external Qualys enables you to scan for vulnerabilities 
vulnerability scans via an Approved | from inside and outside of your network. 
Scanning Vendor (ASV) approved Qualys is an Approved Scanning Vendor by PCI 
by the Payment Card Industry the PCI Council and can be used for both 
Security Standards Council (PCI external scanning or ongoing internal 
SSC). Perform rescans as needed, | scanning. 
until passing scans are achieved 
11.2.3 Perform internal and external Qualys enables you to scan for vulnerabilities 
scans, and rescans as needed, from inside and outside of your network. Also 
after any significant change. Scans | helps in prioritization and remediation of 
must be performed by qualified vulnerabilities. 
personnel 
11.3 Implement a methodology for Qualys includes active penetration testing 
penetration testing. that can be automated to run at specific 
intervals and create reports on the status of WAS 
all tests, so that you can understand the risks 
to your network. 
11.3.1 Perform external penetration Qualys includes active penetration testing 
testing at least annually and after that can be automated to run at specific 
any significant infrastructure or intervals and create reports on the status of 
application upgrade or modification | all tests, so that you can understand the risks WAS 
(such as an operating system to your network. 
upgrade, a sub-network added to 
the environment, or a web server 
added to the environment) 
11.3.2 Perform internal penetration testing | Qualys enables you to scan for vulnerabilities 
at least annually and after any from inside and outside of your network. Also 
significant infrastructure or helps in prioritization and remediation of 
application upgrade or modification | vulnerabilities. WAS 
(such as an operating system 
upgrade, a sub-network added to 
the environment, or a web server 
added to the environment) 
11.3.3 Exploitable vulnerabilities found Qualys enables you to scan for vulnerabilities 
during penetration testing are from inside and outside of your network. Also ae 


corrected and testing is repeated to 
verify the corrections 


helps in prioritization and remediation of 
vulnerabilities. 


11.3.4 


If segmentation is used to isolate 
the CDE from other networks, 
perform penetration tests at least 
annually and after any changes to 
segmentation controls/methods to 
verify that the segmentation 
methods are operational and 
effective, and isolate all out-of- 
scope systems from systems in the 
CDE 


Qualys enables you to scan for vulnerabilities 
from inside and outside of your network. Also 
helps in prioritization and remediation of 
vulnerabilities. 


VMDR 


WAS 


11.3.4.1 


Additional requirement for service 
providers only: If segmentation is 
used, confirm PCI DSS scope by 
performing penetration testing on 
segmentation controls at least 
every six months and after any 
changes to segmentation 
controls/methods 


Qualys enables you to scan for vulnerabilities 
from inside and outside of your network. Also 
helps in prioritization and remediation of 
vulnerabilities. 


VMDR 


WAS 


Use intrusion-detection and/or 
intrusion-prevention techniques to 
detect and/or prevent intrusions 
into the network. Monitor all traffic 
at the perimeter of the cardholder 
data environment as well as at 
critical points in the cardholder data 
environment and alert personnel to 
suspected compromises 


Qualys enables you to have a confirmation on 
the presence of policy or procedural controls 
using its survey-based workflow. 


SAQ 


Deploy a change-detection 
mechanism (for example, file- 
integrity monitoring tools) to alert 
personnel to unauthorized 
modification (including changes, 
additions, and deletions) of critical 
system files, configuration files, or 
content files, and configure the 
software to perform critical file 
comparisons at least weekly 


Qualys enables you to detect any 
unauthorized changes made in system files 
or any of the customer-defined critical files. 


FIM 


11.5.1 


Implement a process to respond to 
any alerts generated by the 
change-detection solution 


Qualys enables you to have a confirmation on 
the presence of policy or procedural controls 
using its survey-based workflow. 


SAQ 


11.6 


Ensure that security policies and 
operational procedures for security 
monitoring and testing are 
documented, in use, and known to 
all affected parties 


Qualys enables you to have a confirmation on 
the presence of policy or procedural controls 
using its survey-based workflow. 


SAQ 


Requirement 12: Maintain a policy that addresses information security for all personnel 


* Is performed at least annually and 
upon significant changes to the 


using its survey-based workflow. 


12.1 Establish, publish, maintain, and Qualys enables you to have a confirmation on 
disseminate a security policy the presence of policy or procedural controls SAQ 
using its survey-based workflow. 
12.1.1 Review the security policy at least Qualys enables you to have a confirmation on 
annually and update the policy the presence of policy or procedural controls SAQ 
when the environment changes using its survey-based workflow. 
12.2 Implement a risk-assessment Qualys enables you to have a confirmation on 
process that: the presence of policy or procedural controls SAQ 


environment (for example, 
acquisition, merger, relocation, 
etc.), 

¢ Identifies critical assets, threats, 
and vulnerabilities, and 

e Results in a formal, documented 
analysis of risk. 


12.3 Develop usage policies for critical Qualys enables you to have a confirmation on 
technologies and define proper use | the presence of policy or procedural controls 
of these technologies: using its survey-based workflow. 
12.3.1 Explicit approval by authorized Qualys enables you to have a confirmation on 
parties the presence of policy or procedural controls 
using its survey-based workflow. =e 
12.3.2 Authentication for use of the Qualys enables you to have a confirmation on 
technology the presence of policy or procedural controls 
using its survey-based workflow. SAQ 
12.3.3 A list of all such devices and Qualys enables you to have a confirmation on 
personnel with access the presence of policy or procedural controls SAQ 
using its survey-based workflow. 
12.3.4 A method to accurately and readily | Qualys enables you to have a confirmation on 
determine owner, contact the presence of policy or procedural controls 
information, and purpose (for using its survey-based workflow. 
example, labeling, coding, and/or 
inventorying of devices) 
12.3.5 Acceptable uses of the technology | Qualys enables you to have a confirmation on 
the presence of policy or procedural controls 
using its survey-based workflow. 
12.3.6 Acceptable network locations for Qualys enables you to have a confirmation on 
the technologies the presence of policy or procedural controls SAQ 
using its survey-based workflow. 
12.3.7 List of company-approved products | Qualys enables you to have a confirmation on 
the presence of policy or procedural controls SAQ 
using its survey-based workflow. 
12.3.8 Automatic disconnect of sessions Qualys enables you to have a confirmation on 
for remote-access technologies the presence of policy or procedural controls SAQ 
after a specific period of inactivity using its survey-based workflow. 
12.3.9 Activation of remote-access Qualys enables you to have a confirmation on 
technologies for vendors and the presence of policy or procedural controls 
business partners only when using its survey-based workflow. Sa 
needed by vendors and business 
partners, with immediate 
deactivation after use 
12.3.10 | For personnel accessing Qualys enables you to have a confirmation on 
cardholder data via remote-access_ | the presence of policy or procedural controls 
technologies, prohibit the copying, using its survey-based workflow. 
moving, and storage of cardholder 
data onto local hard drives and Sis 
removable electronic media, unless 
explicitly authorized for a defined 
business need 
12.4 Ensure that the security policy and | Qualys enables you to have a confirmation on 


procedures clearly define 
information security responsibilities 
for all personnel 


the presence of policy or procedural controls 
using its survey-based workflow. 


SAQ 


12.4.1 Additional requirement for service Qualys enables you to have a confirmation on 
providers only: Executive the presence of policy or procedural controls 
management shall establish using its survey-based workflow. 
responsibility for the protection of 
cardholder data and a PCI DSS 
compliance program to include: 
SAQ 
* Overall accountability for 
maintaining PCI DSS compliance 
e Defining a charter for a PCI DSS 
compliance program and 
communication to executive 
management 
12.5 Assign to an individual or team the | Qualys enables you to have a confirmation on 
following information security the presence of policy or procedural controls SAQ 
management responsibilities: using its survey-based workflow. 
12.5.1 Establish, document, and distribute | Qualys enables you to have a confirmation on 
security policies and procedures the presence of policy or procedural controls JX] 
using its survey-based workflow. 
12.5.2 Monitor and analyze security alerts | Qualys enables you to have a confirmation on 
and information, and distribute to the presence of policy or procedural controls 
appropriate personnel using its survey-based workflow. N 
12.5.3 Establish, document, and distribute | Qualys enables you to have a confirmation on 
security incident response and the presence of policy or procedural controls 
escalation procedures to ensure using its survey-based workflow. f saa | 
timely and effective handling of all 
situations 
12.5.4 Administer user accounts, including | Qualys enables you to have a confirmation on 
additions, deletions, and the presence of policy or procedural controls 
modifications using its survey-based workflow. 
12.5.5 Monitor and control all access to Qualys enables you to have a confirmation on 
data. the presence of policy or procedural controls SAQ 
using its survey-based workflow. 
12.6 Implement a formal security Qualys enables you to have a confirmation on 
awareness program to make all the presence of policy or procedural controls 
personnel aware of the cardholder | using its survey-based workflow. Sad 
data security policy and procedures 
12.6.1 Educate personnel upon hire and Qualys enables you to have a confirmation on 
at least annually. the presence of policy or procedural controls SAQ 
using its survey-based workflow. 
12.6.2 Require personnel to acknowledge | Qualys enables you to have a confirmation on 
at least annually that they have the presence of policy or procedural controls SAQ 
read and understood the security using its survey-based workflow. 
policy and procedures 
12.7 Screen potential personnel prior to | Qualys enables you to have a confirmation on 
hire to minimize the risk of attacks the presence of policy or procedural controls 
from internal sources. (Examples of | using its survey-based workflow. 
background checks include SAQ 
previous employment history, 
criminal record, credit history, and 
reference checks) 
12.8 Maintain and implement policies Qualys enables you to have a confirmation on 
and procedures to manage service | the presence of policy or procedural controls 
SAQ 


providers, with whom cardholder 
data is shared, or that could affect 
the security of cardholder data, as 
follows: 


using its survey-based workflow. 


12.8.1 Maintain a list of service providers Qualys enables you to have a confirmation on 
including a description of the the presence of policy or procedural controls SAQ 
service provided using its survey-based workflow. 
12.8.2 Maintain a written agreement that Qualys enables you to have a confirmation on 
includes an acknowledgement that | the presence of policy or procedural controls 
the service providers are using its survey-based workflow. 
responsible for the security of 
cardholder data the service 
providers possess or otherwise SAQ 
store, process or transmit on behalf 
of the customer, or to the extent 
that they could impact the security 
of the customer’s cardholder data 
environment 
12.8.3 Ensure there is an established Qualys enables you to have a confirmation on 
process for engaging service the presence of policy or procedural controls SAQ 
providers including proper due using its survey-based workflow. 
diligence prior to engagement 
12.8.4 Maintain a program to monitor Qualys enables you to have a confirmation on 
service providers’ PCI DSS the presence of policy or procedural controls SAQ 
compliance status at least using its survey-based workflow. 
annually. 
12.8.5 Maintain information about which Qualys enables you to have a confirmation on 
PCI DSS requirements are the presence of policy or procedural controls 
managed by each service provider, | using its survey-based workflow. SAQ 
and which are managed by the 
entity 
12.9 Additional requirement for service Qualys enables you to have a confirmation on 
providers only: Service providers the presence of policy or procedural controls 
acknowledge in writing to using its survey-based workflow. 
customers that they are 
responsible for the security of 
cardholder data the service 
provider possesses or otherwise 
stores, processes, or transmits on SAQ 
behalf of the customer, or to the 
extent that they could impact the 
security of the customer’s 
cardholder data environment 
12.1 Implement an incident response Qualys enables you to have a confirmation on 
plan. Be prepared to respond the presence of policy or procedural controls 
immediately to a system breach using its survey-based workflow. 
12.10.1 | Create the incident response plan Qualys enables you to have a confirmation on 
to be implemented in the event of the presence of policy or procedural controls 
system breach. using its survey-based workflow. IA 
12.10.2 | Review and test the plan, including | Qualys enables you to have a confirmation on 
all elements listed in Requirement the presence of policy or procedural controls SAQ 
12.10.1, at least annually. using its survey-based workflow. 
12.10.3 | Designate specific personnel tobe | Qualys enables you to have a confirmation on 
available on a 24/7 basis to the presence of policy or procedural controls SAQ 
respond to alerts using its survey-based workflow. 
12.10.4 | Provide appropriate training to staff | Qualys enables you to have a confirmation on 
with security breach response the presence of policy or procedural controls SAQ 


responsibilities. 


using its survey-based workflow. 


12.10.5 


Include alerts from security 
monitoring systems, including but 
not limited to intrusion detection, 


Qualys provides you a risk-focused, single 
pane of glass for enterprise-wide threat 
detection and incident response. This 


intrusion prevention, firewalls, and provides visibility, contextual priority, and XDR 
file-integrity monitoring systems meaningful insights about the assets that 
allow teams to quickly make the most 
impactful decisions for enhanced protection. 
12.10.6 | Develop a process to modify and Qualys enables you to have a confirmation on 
evolve the incident response plan the presence of policy or procedural controls 
according to lessons learned and using its survey-based workflow. SAQ 
to incorporate industry 
developments 
12.11 Additional requirement for service Qualys enables you to have a confirmation on 
providers only: Perform reviews at the presence of policy or procedural controls 
least quarterly to confirm personnel | using its survey-based workflow. 
are following security policies and 
operational procedures. Reviews 
must cover the following 
processes: 
SAQ 
* Daily log reviews 
+ Firewall rule-set reviews 
e Applying configuration standards 
to new systems 
e Responding to security alerts 
+ Change management processes 
12.11.1 | Additional requirement for service Qualys enables you to have a confirmation on 
providers only: Maintain the presence of policy or procedural controls 
documentation of quarterly review using its survey-based workflow. 
process to include: 
SAQ 


e Documenting results of the 
reviews 

e Review and sign-off of results by 
personnel assigned responsibility 
for the PCI DSS compliance 
program 


Qualys. 
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